Company will release special removal tool for affected users, is remotely killing apps

Google is reacting quickly to what is perhaps the largest mass infection of users of its Android OS, yet. Rather than keep quiet, Google quickly pulled the 58 malicious apps, which were repackaged versions of legitimate apps (containing extra malicious APKs designed to grab personal information, obtain root access, and install code remotely).

Now it's take even more strident measures to combat the attack, personally reaching out to affected users. Google began executing its remote kill functionality on the malicious apps Saturday.

It also pushed out an update to affected users phones, which will remove the installed rootkit. Google sent the following email [source] to the estimated 260,000 Android users:

Hello,

We recently discovered applications on Android Market that were designed to harm devices. These malicious applications (“malware”) have been removed from Android Market, and the corresponding developer accounts have been closed.

According to our records, you have downloaded one or more of these applications. This malware was designed to allow an unauthorized third-party to access your device without your knowledge. As far as we can determine, the only information obtained was device-specific (IMEI/IMSI, unique codes which are used to identify mobile devices, and the version of Android running on your device).

However, this malware could leave your device and personal information at risk, so we are pushing an Android Market security update to your device to remove this malware. Over the next few hours, you will receive a notification on your device that says “Android Market Security Tool March 2011” has been installed. You are not required to take any action from there, the update will automatically run. You may also receive notification(s) on your device that an application has been removed. Within 24 hours of receiving the update, you will receive a second email confirming its success.

To ensure this update is run quickly, please make sure that your device is turned on and has a strong network connection.

For more details, please visit the Android Market Help Center.

Regards,
The Android Market Team

The flaw that allowed the malware to gain root access without asking for permissions was actually fixed by Google with firmware update Android 2.2.1. Unfortunately carriers have been extremely sluggish at rolling out updates for Android users, and this is the end result.

Google has repackaged the fix as an individual patch and given it to carriers and handset makers. But it's up to carriers and their hardware partners to push it down to phone customers as the patch will have to be adjusted to individual hardware configurations.

In other words Google's keeping busy killing the burglars in the house, but back door is still wide open. At least it's doing something, though, and giving its customers the decency of communication.

Google is also taking steps to make sure similar malware doesn't reappear in the Android Marketplace. While the company is vague on specifics, it writes:

We are adding a number of measures to help prevent additional malicious applications using similar exploits from being distributed through Android Market and are working with our partners to provide the fix for the underlying security issues.

For example, at Nicolas Seriot, a Swiss iPhone expert, has demoed [white paper] at the annual Black Hat conference an app called "SpyPhone", which showed off how easy it would be to sneak malware into the App Store. It is unknown if this is being actively done, but Mr. Seriot's whitepaper offered obfuscation code that disguised disallowed strings, offering hackers a clear path to getting their malware into the App Store (the only other necessary steps would be a delayed activation of the malicious activity, and avoidance of using private APIs).

Comments

Threshold

Username

Password

remember me

This article is over a month old, voting and posting comments is disabled

quote:Systems that check for malware in advance of distribution are never perfect but are always safer than systems that don't check for malware in advance of distribution.

Google checks its apps pre-approval, just not to the extent Apple tests them. It's misleading to suggest it doesn't screen, though, if that's what you're trying to say.

So let me get this right. Google says it checked the content and then installed a security update on a couple of hundred thousands Android phones and then informed their owners that it had done so after the fact and your interpretation of that based on the way that your phone handles updates is that - well at that point you lost me.

My reading of what Google announced it has done is that Google has a system whereby it could reach out to a vast swathe of Android phones, presumaably on different handsets and with different carriers because the malicious code could have been installed by anybody, check the content of said phones and then delete and install code/apps at will. And at no point were the phone's owners asked if this was OK. All the owners got was a message telling them it happened.

If Google is telling the truth that seems a big deal to me. They are using that power for good in this example but did any of you Android handset users know they had such power and such capabilities and what are the privacy issues here?

As to your claim that malware must exist on the iphone, even though there is no evidence of it existing, that just seems desperate and irrational. If we ignore actual evidence we can claim anything - perhaps it was Elvis who distributed the Android malware from the secret bases on the moon.

Trying to pretend that Android is as secure or more secure than iOS is silly and intellectually cowardly. Why not just say 'I still prefer the Android model to iOS but this is an example of the downside to choosing Android'. That seems a more honest position than your bizarre dissembling.

Kinda have to agree with Tony on this one. Remote kill is one thing since several platforms seem to have that. I still think that is dumb btw, but that's something else all together. No company/person should be able to install something on my stuff remotely without my permission. It's like giving the government a backdoor into your phone. Sure, they could do good with it, but is that really the point? Moreover, backdoors almost always end up getting used for evil.

I wonder if they can do this on any phone with Android, even with rooted phones and such?

I kinda agree too. That's probably one of the most rational and unbiased posts from Tony I've ever seen.

However, since this remote kill has been pushed without user acknowledgement or intervention, as you said, several platforms have this. This could have already have been done on any device, including those from Apple, Microsoft, HP, and so on, and we may not know it.

The only reason we know of it in this scenario is due to the severity of the issue, and Google's public response.

quote: Lack of proof is not proof in and of itself that something doesn't exist.

And your point is...? Oh that's right, you ignore the fact that Android has experienced verified and ongoing security breaches via malware / virii, yet try and lump iOS into the same category because "lack of proof is not proof in and of itself that something doesn't exist". This is your argument? Unbelievable. Jason, I believe Android is about to become crippled by a massive uber-virus rendering all Android phones "bricks". What, you don't believe me? That's okay, because "lack of proof is not proof in and of itself that something doesn't exist". See how I did that?

1. I can't follow your logic at all. Your EVO requires your permission to install updates? Okay. Go on? How does that relate to these 260,000 people having updates install without permission and THEN having an email sent letting them know an update was just installed.

2. You doubt that? If you don't have proof then SHUT UP. You can't make claims that Apple and Google are in the same boat, offer no proof, and then claim that a lack of proof does not prove that something doesn't exist? I can't believe I just read that.

3. If Apple eliminates dumb malware but not the "smart malware" how does that make Google look? Also, since all of this "white paper" crap is supposedly possible why is it so difficult for you to come up with a single relevant example? Could it possibly be because reality doesn't support your baseless claims?

4. This whole post is ridiculous. You painted yourself into a corner with a ridiculous original post but now you are just making yourself look like an idiot by trying to claw your way out. Stop while you are ahead next time.

Am I the only one that remembers all the "media player" apps on the iOS that took personal information from its users? I can go dig up the articles if someone would like me to, but surely I can't be the only one to remember that.